Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-40906

CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.

Published

2022-03-25T23:15:08.287

Last Modified

2024-11-21T06:25:04.797

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	checkmk	checkmk	< 1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	checkmk	checkmk	1.6.0	Yes
Application	tribe29	checkmk	1.6.0b10	Yes
Application	tribe29	checkmk	1.6.0b11	Yes
Application	tribe29	checkmk	1.6.0p10	Yes
Application	tribe29	checkmk	1.6.0p17	Yes
Application	tribe29	checkmk	1.6.0p18	Yes

References

http://checkmk.com Product ([email protected])
https://github.com/Edgarloyola/CVE-2021-40906 Third Party Advisory ([email protected])
http://checkmk.com Product (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Edgarloyola/CVE-2021-40906 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)